CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
92.1%
Some HTTP/2 implementations are vulnerable to a settings flood, potentially
leading to a denial of service. The attacker sends a stream of SETTINGS
frames to the peer. Since the RFC requires that the peer reply with one
acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data is
queued, this can consume excess CPU, memory, or both.
Author | Note |
---|---|
sbeattie | nginx added http2 support in 1.9.5 nginx previously fixed issue for CVE-2018-16844 netty added http2 support in 4.1.0 twisted added http2 support in 16.3 trafficserver enabled http2 support by default in 7.0 |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-google-grpc | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-google-grpc | < any | UNKNOWN |
ubuntu | 22.04 | noarch | golang-google-grpc | < any | UNKNOWN |
ubuntu | 24.04 | noarch | golang-google-grpc | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-google-grpc | < any | UNKNOWN |
ubuntu | 18.04 | noarch | grpc | < any | UNKNOWN |
ubuntu | 20.04 | noarch | grpc | < any | UNKNOWN |
ubuntu | 22.04 | noarch | grpc | < any | UNKNOWN |
ubuntu | 24.04 | noarch | grpc | < any | UNKNOWN |
ubuntu | 16.04 | noarch | grpc | < any | UNKNOWN |
blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html
github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
github.com/netty/netty/pull/9460
labs.twistedmatrix.com/2019/11/twisted-19100-released.html
launchpad.net/bugs/cve/CVE-2019-9515
netty.io/news/2019/08/13/4-1-39-Final.html
nvd.nist.gov/vuln/detail/CVE-2019-9515
security-tracker.debian.org/tracker/CVE-2019-9515
ubuntu.com/security/notices/USN-4308-1
ubuntu.com/security/notices/USN-4866-1
www.cve.org/CVERecord?id=CVE-2019-9515
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
92.1%